v1.0.0

Oracle

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

The skill is coherent and user-directed, but it relies on an external Oracle CLI that can send selected files to AI providers and store local sessions, so users should control what they attach.

GuidanceThis skill appears benign and consistent with its description. Before installing or using it, verify the @steipete/oracle package, run dry-runs and files reports, choose a narrow file set, avoid attaching secrets such as .env files or keys, be aware of API/browser account usage, and secure or avoid the remote browser-host mode unless you need it.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install spec

node | package: @steipete/oracle | creates binaries: oracle

The skill requires installing and running an external npm-provided CLI. That is central to the skill's purpose, but users should trust the package source before installation.

User impactInstalling the skill may add an external command-line tool to the user's environment.

RecommendationVerify the npm package and homepage are the intended Oracle CLI, and consider pinning or reviewing the package before use in sensitive environments.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Remote browser host:
  - Host: `oracle serve --host 0.0.0.0 --port 9473 --token <secret>`

The documentation includes an optional remote browser server bound to all interfaces. It is token-protected and disclosed, but it exposes a browser-automation workflow beyond the local machine if used.

User impactIf the remote browser host is started on a reachable network, someone with the token could interact with that service.

RecommendationUse a strong token, restrict network exposure with firewalling or localhost/VPN where possible, and avoid remote hosting unless needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Auto-pick: `api` when `OPENAI_API_KEY` is set; otherwise `browser`.

The CLI can use an existing OpenAI API key from the environment, even though the registry metadata declares no required credentials. This appears optional and purpose-aligned, not hidden.

User impactRuns may use the user's AI-provider account, API quota, or paid credits if a relevant credential is already configured.

RecommendationCheck which engine is selected before running, use `--dry-run` where possible, and explicitly choose `--engine browser` or `--engine api` to avoid surprises.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Oracle bundles your prompt + selected files into one “one-shot” request so another model can answer with real repo context (API or browser automation).

The core workflow sends user-selected prompts and files to another model/provider. This is disclosed and aligned with the skill's purpose, but it is an important data-sharing boundary.

User impactSelected project files, prompts, and error text may be shared with external AI services or browser sessions.

RecommendationAttach only the minimum necessary files, use the documented dry-run and files report, and redact secrets or proprietary data before sending.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Stored under `~/.oracle/sessions` (override with `ORACLE_HOME_DIR`).

The CLI stores sessions locally for reattachment. Persistent session state is disclosed and useful for long-running tasks, but may retain task context.

User impactPrompts, session identifiers, or related run state may remain on disk after use.

RecommendationStore sessions in an appropriate location, avoid including secrets in prompts or attachments, and clean old sessions when they are no longer needed.